Conversation
|
Cursor Agent can help with this pull request. Just |
Co-authored-by: wasal.stor <wasal.stor@gmail.com>
This commit introduces a suite of scripts for managing a VPS, including connection, monitoring, backup, and security checks. It also includes comprehensive documentation to guide users. Co-authored-by: wasal.stor <wasal.stor@gmail.com>
This commit introduces a comprehensive audit report for the VPS Hostinger tools. Co-authored-by: wasal.stor <wasal.stor@gmail.com>
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
This is the final PR Bugbot will review for you during this billing cycle
Your free Bugbot reviews will reset on February 2
Details
You are on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle.
To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.
| # معلومات الاتصال | ||
| VPS_HOST="147.93.120.99" | ||
| VPS_USER="root" | ||
| VPS_PASSWORD="9'hG8lV1RCU)sesnQ3hA" |
There was a problem hiding this comment.
Hardcoded VPS root credentials exposed in repository
The VPS root password 9'hG8lV1RCU)sesnQ3hA along with the server IP and username are hardcoded in multiple shell scripts and markdown documentation files being committed to the repository. This exposes production server credentials to anyone with repository access. The credentials appear in connect-vps.sh, setup-ssh-keys.sh, vps-backup.sh, vps-manager.sh, and VPS_CONNECTION_README.md. Credentials should be stored in environment variables or a secrets manager, not committed to version control.
Additional Locations (2)
|
|
||
| // Add active class to clicked link | ||
| event.target.classList.add('active'); | ||
| event.target.style.background = 'rgba(79, 172, 254, 0.3)'; |
There was a problem hiding this comment.
Function uses undefined event variable causing runtime error
The showTab function references event.target on lines 420-421, but event is never passed as a parameter to the function. The function is called from DOMContentLoaded on line 631 as showTab('execute') where no click event exists, causing event to be undefined and resulting in a runtime error that prevents the dashboard tabs from initializing properly.
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| VPS_HOST="147.93.120.99" | ||
| VPS_USER="root" | ||
| VPS_PASSWORD="9'hG8lV1RCU)sesnQ3hA" |
There was a problem hiding this comment.
This script embeds the VPS root password in the repository (VPS_PASSWORD=...). Anyone with read access to the repo can log into the server, and the secret is permanently exposed in git history even if later removed. This is a critical security leak for any environment where the VPS is reachable; move the credential to a secret manager/env var and rotate the password immediately.
Useful? React with 👍 / 👎.
| echo -e "${RED}❌ sshpass غير مثبت. جارٍ التثبيت...${NC}" | ||
| sudo apt-get update && sudo apt-get install -y sshpass | ||
| fi | ||
| sshpass -p "$VPS_PASSWORD" ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null "$VPS_USER@$VPS_HOST" "$@" |
There was a problem hiding this comment.
The SSH invocation explicitly disables host key checking and discards known_hosts. If a user runs this script on a compromised network or with DNS/route hijacking, sshpass will send the root password to a spoofed host without any warning. This materially weakens SSH’s protections; prefer trusting a pinned host key (e.g., pre-populate known_hosts) instead of StrictHostKeyChecking=no.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
Pull request overview
This pull request adds VPS (Virtual Private Server) host status checking and management capabilities along with significant enhancements to the AI Agent Platform, including new agents, improved Arabic language processing, and user interface improvements.
Key Changes
- VPS management infrastructure with multiple shell scripts for monitoring, backup, and administration
- New AI agents: Translation Agent, Analysis Agent, and unified SDK Agent
- Enhanced Arabic language processing with advanced morphology and grammar analysis
- Improved web retrieval with real search capabilities (DuckDuckGo integration)
- New HTML dashboards for servers, monitoring, and system management
- Common UI components with bilingual support (Arabic/English)
Reviewed changes
Copilot reviewed 49 out of 51 changed files in this pull request and generated 26 comments.
Show a summary per file
| File | Description |
|---|---|
| vps-status.sh | Quick VPS status check script with system metrics |
| vps-monitor.sh | Advanced VPS monitoring with continuous mode and detailed analytics |
| vps-manager.sh | Comprehensive VPS management dashboard with menu-driven interface |
| vps-backup.sh | Automated backup solution for VPS files and databases |
| vps-quick-commands.sh | Quick command wrapper for common VPS operations |
| setup-ssh-keys.sh | SSH key setup automation for passwordless authentication |
| connect-vps.sh | Interactive VPS connection script with multiple options |
| ssh-config-vps | SSH configuration template for easy VPS access |
| install-complete-vps.sh | Complete VPS installation script for the AI platform |
| VPS_TOOLS_SUMMARY.txt | Summary documentation for VPS tools |
| dlplus/agents/translation_agent.py | New translation agent with multi-language support |
| dlplus/agents/analysis_agent.py | Comprehensive text analysis agent |
| dlplus/agents/sdk_agent.py | Professional unified SDK agent with advanced features |
| dlplus/agents/web_retrieval_agent.py | Enhanced web search with DuckDuckGo integration |
| dlplus/core/arabic_processor.py | Significantly enhanced Arabic language processing |
| dlplus/config/agents_config.py | Updated agent configurations with expanded capabilities |
| examples/sdk_agent_usage.py | Usage examples for the new SDK agent |
| index.html | Redesigned command center dashboard |
| servers.html | New servers and platforms management interface |
| monitoring.html | Comprehensive monitoring dashboard |
| onlainee.space/dashboard.html | Added publish all functionality |
| onlainee.space/command-center.php | Added publish_all endpoint |
| common/styles.css | Shared styling for multi-page dashboard |
| common/navigation.css | Central navigation component styles |
| requirements.txt | Added dependencies for new agent capabilities |
| .gitignore | Added patterns for VPS backup files |
CRITICAL SECURITY ISSUES IDENTIFIED: Multiple files contain hardcoded credentials that must be addressed before merging.
| VPS_HOST="147.93.120.99" | ||
| VPS_USER="root" | ||
| VPS_PASSWORD="9'hG8lV1RCU)sesnQ3hA" |
There was a problem hiding this comment.
The same VPS credentials are hardcoded here. This creates multiple locations where the password is exposed. Credentials should be centralized in a secure configuration file that is not committed to the repository.
| VPS_HOST="147.93.120.99" | ||
| VPS_USER="root" | ||
| VPS_PASSWORD="9'hG8lV1RCU)sesnQ3hA" |
There was a problem hiding this comment.
Hardcoded credentials exposed. The password should be stored securely, not committed to version control. Use environment variables or secure credential management.
| VPS_HOST="147.93.120.99" | ||
| VPS_USER="root" | ||
| VPS_PASSWORD="9'hG8lV1RCU)sesnQ3hA" |
There was a problem hiding this comment.
Hardcoded password in plain text. This is a critical security vulnerability. Use environment variables or secure secret management instead.
| VPS_PASSWORD="9'hG8lV1RCU)sesnQ3hA" | ||
|
|
There was a problem hiding this comment.
Hardcoded VPS password exposed. Use environment variables or a secure configuration file that is excluded from version control via .gitignore.
| VPS_PASSWORD="9'hG8lV1RCU)sesnQ3hA" | |
| if [ -z "${VPS_PASSWORD}" ]; then | |
| echo "Error: VPS_PASSWORD environment variable is not set." | |
| echo "Please export VPS_PASSWORD before running this script." | |
| exit 1 | |
| fi |
| <script src="common/navigation.js"></script> | ||
|
|
||
| <script> | ||
| const KHALID_TOKEN = 'KHALID_MASTER_2025_AGENT'; |
There was a problem hiding this comment.
Hardcoded authentication token in JavaScript code. This token is exposed to anyone who views the page source. Move authentication tokens to server-side code and implement proper API authentication mechanisms.
| connect_vps() { | ||
| if [ -f ~/.ssh/id_rsa ] && ssh -o ConnectTimeout=3 -o BatchMode=yes "$VPS_USER@$VPS_HOST" exit 2>/dev/null; then | ||
| ssh "$VPS_USER@$VPS_HOST" "$@" | ||
| else | ||
| if ! command -v sshpass &> /dev/null; then | ||
| echo -e "${RED}❌ sshpass غير مثبت${NC}" | ||
| exit 1 | ||
| fi | ||
| sshpass -p "$VPS_PASSWORD" ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null "$VPS_USER@$VPS_HOST" "$@" | ||
| fi | ||
| } | ||
|
|
||
| # دالة النسخ | ||
| scp_vps() { | ||
| if [ -f ~/.ssh/id_rsa ] && ssh -o ConnectTimeout=3 -o BatchMode=yes "$VPS_USER@$VPS_HOST" exit 2>/dev/null; then | ||
| scp "$@" | ||
| else | ||
| if ! command -v sshpass &> /dev/null; then | ||
| echo -e "${RED}❌ sshpass غير مثبت${NC}" | ||
| exit 1 | ||
| fi | ||
| sshpass -p "$VPS_PASSWORD" scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null "$@" | ||
| fi |
There was a problem hiding this comment.
Both connect_vps and scp_vps use ssh/scp with -o StrictHostKeyChecking=no and -o UserKnownHostsFile=/dev/null, disabling SSH host key verification for this production VPS. This makes it trivial for a network-positioned attacker to impersonate the VPS, intercept backups, and capture root credentials while the script appears to run normally. Restore strict host key checking with a persistent known_hosts entry for the VPS instead of discarding host keys, and avoid disabling these options in automated backup tooling.
| StrictHostKeyChecking no | ||
| UserKnownHostsFile /dev/null | ||
| ServerAliveInterval 60 | ||
| ServerAliveCountMax 3 | ||
| Compression yes | ||
| ForwardAgent yes | ||
|
|
||
| Host hostinger | ||
| HostName 147.93.120.99 | ||
| User root | ||
| Port 22 | ||
| IdentityFile ~/.ssh/id_rsa | ||
| StrictHostKeyChecking no | ||
| UserKnownHostsFile /dev/null |
There was a problem hiding this comment.
Both SSH host entries set StrictHostKeyChecking no and UserKnownHostsFile /dev/null, which disables SSH host key verification and prevents keys from ever being persisted. This makes it trivial for a network attacker to spoof 147.93.120.99 and transparently intercept or tamper with all SSH sessions started via ssh vps-hostinger or ssh hostinger. Remove these options so OpenSSH performs normal host key checking and uses the default known_hosts file, only relaxing checks in exceptional, tightly-controlled bootstrap scenarios if absolutely necessary.
| if ! command -v sshpass &> /dev/null; then | ||
| echo -e "${YELLOW}جارٍ تثبيت sshpass...${NC}" | ||
| sudo apt-get update && sudo apt-get install -y sshpass | ||
| fi | ||
| sshpass -p "$VPS_PASSWORD" ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null "$VPS_USER@$VPS_HOST" "$@" |
There was a problem hiding this comment.
The fallback SSH path in connect_vps disables host key verification by passing -o StrictHostKeyChecking=no and -o UserKnownHostsFile=/dev/null to ssh. With these options an attacker on the network can spoof the VPS IP, capture the hardcoded root password, and execute arbitrary commands under root while the script appears to succeed. Require standard SSH host key checking with a persistent known_hosts entry for the VPS instead of disabling these protections in automation.
| sshpass -p "$VPS_PASSWORD" ssh-copy-id -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null "$VPS_USER@$VPS_HOST" 2>/dev/null | ||
|
|
||
| if [ $? -eq 0 ]; then | ||
| echo -e "${GREEN}✅ تم نسخ المفتاح بنجاح${NC}" | ||
| echo "" | ||
| echo -e "${GREEN}يمكنك الآن الاتصال بدون كلمة مرور:${NC}" | ||
| echo "ssh $VPS_USER@$VPS_HOST" | ||
| echo "" | ||
| echo -e "${YELLOW}ملاحظة: يُنصح بتعطيل تسجيل الدخول بكلمة المرور في الخادم${NC}" | ||
| else | ||
| echo -e "${RED}❌ فشل نسخ المفتاح. جارٍ المحاولة يدوياً...${NC}" | ||
|
|
||
| # محاولة يدوية | ||
| PUB_KEY=$(cat ~/.ssh/id_rsa.pub) | ||
| sshpass -p "$VPS_PASSWORD" ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null "$VPS_USER@$VPS_HOST" " | ||
| mkdir -p ~/.ssh | ||
| chmod 700 ~/.ssh | ||
| echo '$PUB_KEY' >> ~/.ssh/authorized_keys | ||
| chmod 600 ~/.ssh/authorized_keys | ||
| " | ||
|
|
||
| if [ $? -eq 0 ]; then | ||
| echo -e "${GREEN}✅ تم إعداد المفتاح يدوياً${NC}" | ||
| else | ||
| echo -e "${RED}❌ فشل الإعداد${NC}" | ||
| exit 1 | ||
| fi | ||
| fi | ||
|
|
||
| # اختبار الاتصال بدون كلمة مرور | ||
| echo -e "${YELLOW}جارٍ اختبار الاتصال...${NC}" | ||
| ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ConnectTimeout=5 "$VPS_USER@$VPS_HOST" "echo '✅ الاتصال ناجح بدون كلمة مرور'" 2>/dev/null |
There was a problem hiding this comment.
All of the SSH operations in this script (ssh-copy-id and fallback ssh commands) are invoked with -o StrictHostKeyChecking=no and -o UserKnownHostsFile=/dev/null, which disables server identity verification. During key setup this allows a man-in-the-middle on the network to impersonate the VPS, capture the root password, and insert their own key into authorized_keys. Restrict the use of relaxed options to a one-time, explicitly verified bootstrap (or avoid them entirely) and enforce normal host key checking with a persistent known_hosts entry for subsequent runs.
| echo "" | ||
|
|
||
| # فحص شامل للحالة | ||
| sshpass -p "$VPS_PASSWORD" ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ConnectTimeout=10 "$VPS_USER@$VPS_HOST" << 'EOF' |
There was a problem hiding this comment.
The SSH command here disables host key verification using -o StrictHostKeyChecking=no and -o UserKnownHostsFile=/dev/null, which makes man-in-the-middle attacks against this VPS much easier because server identities are never verified or pinned. An attacker controlling the network could impersonate the VPS IP and capture the hardcoded root credentials or inject arbitrary commands. Re-enable strict host key checking and use a persistent known_hosts file, pinning the VPS host key and only bypassing checks in tightly controlled bootstrap flows.
Co-authored-by: wasal.stor <wasal.stor@gmail.com>
This commit removes extensive debug logging from the publishAll function in command-center.php and dashboard.html. It also enhances the tab switching functionality in agents-dashboard.html by passing the event object to the showTab function. Additionally, the .gitignore file is updated to exclude .cursor directory. Co-authored-by: wasal.stor <wasal.stor@gmail.com>
No code changes were made during this session.
Note
Introduces a full multi-page dashboard and agent tooling, plus a new analysis agent and SDK exports.
dashboard.htmlandagents-dashboard.htmlwith execution, analytics, logs, and settings; shared navigation/language/styles incommon/dlplus/agents/analysis_agent.py(sentiment, topics, entities, keywords, summary, trends) and updatesdlplus/agents/__init__.pyto exportTranslationAgent,AnalysisAgent,SDKAgent; bumps version to2.0.0AGENTS_*,SDK_AGENT_GUIDE.md,LIBRARIES_*,VPS_*,NAVIGATION_SYSTEM.md, etc.)connect-vps.sh, …) and updates.gitignoreto ignore backups/DB dumps and VPS filesWritten by Cursor Bugbot for commit e30209d. This will update automatically on new commits. Configure here.